Audit the security infrastructure
Overview
Use the Auditing Facility to...
- Track and archive auditable events
- Confirm the integrity of the existing security configuration.
- Identify areas of improvement
Before enabling the security auditing subsystem, enable global security.
Each time a Java EE 5 application accesses a secured resource, any internal application server process with an audit point included can be recorded as an auditable event, including...
- Authentication
- Authorization
- Principal/Credential Mapping
- Audit policy management
- User registry and identity management
- Delegation
- Administrative configuration management
The auditing subsystem provides the ability to audit...
- Who updated, added or changed a specific admin configuration file
- Who invoked any of the admin commands
Restriction: Audit instrumentation has not been included in the Web services client run time.
Events can be recorded into audit log files, that can be signed and encrypted, in order to...
- Discover breaches over the existing security mechanisms
- Discover potential weaknesses in the current security infrastructure.
- Provide evidence of accountability and nonrepudiation
- Vulnerability analysis
The security auditing configuration provides...
- four default filters
- default audit service provider
- default event factory
The default implementation writes to a binary text-file based log, which can be read using the Audit Reader.
Audit the security infrastructure
- Enable the security auditing subsystem
Global security must be enabled for the security audit subsystem to function.
- Assign the Auditor role to a user
We can separate the auditing role from the authority of the administrator. When Security Auditing is initially enabled, the cell administrator has auditor privileges. If the environment requires separation of privileges, then changes will need to be made to the default role assignments.
- Create security auditing event type filters
In general, for easier analysis, we want to record a only specific subset of auditable event types in the audit logs.
- Set the audit service provider.
A default audit service provider implementation is available. A third party implementation can also be coded and used.
- Set audit event factories for security auditing
The factory...
- Gathers data associated with the auditable events
- Creates an audit data object
- Sends audit data object to the audit service provider to be formatted and recorded to the repository
- Protect the security audit data
To ensure that access to the data is restricted and tamper proof, we can encrypt and sign the audit data.
- Set security audit subsystem failure notifications
Generate alerts when the security auditing subsystem experiences a failure. Alerts can go to System logs or e-mail
Related tasks
Enable the security auditing subsystem
Create security auditing event type filters
Set security audit subsystem failure notifications
Set the default audit service providers for security auditing
Set a third party audit service providers for security auditing
Set audit event factories for security auditing
Protecting the security audit data
Use the audit reader
Set security auditing using scripting
Securing resources